On 09/19/2010 09:33 AM, Mr Dash Four wrote: > One of the limitations in ipset is that it does not allow me to specify > IP,Port pairs in the same construct (map, hashmap etc) where the IP > address is not a B-class address (/16). To overcome this issue I have > resorted to some creative Shorewall statements in my rules file like: > > ACCEPT $FW:+dest-port-map[dst] net:+dest-ip-map > > This produces the right result, in a round-about way (it produces a code > containing 2 match-set constructs - both are 'dst').
That's the best way to do what you are trying to do. > > Is there another - preferably more straight-forward - possibility? I was > thinking of, may be, separating the second part (net:...) with comas and > using something like: > > ACCEPT $FW net:+dest-ip-map,+dest-port-map That syntax is already supported but produces two separate rules; been that way forever so changing it is not an option. > > but do not know whether it is possible to implement in Shorewall? The > above alternative would also allow me to include ipset pairs containing > protocols (udp, tcp, icmp even) I'll think about an alternative syntax for 4.4.14... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
